Biometrics, like fingerprints and iris scans, is being used more and more as a reliable form of authentication for online transactions. But how can we be sure that this data won’t be compromised? To ensure security and privacy when managing and processing biometric information, ISO and the International Electrotechnical Commission (IEC) have jointly published a new International Standard, ISO/IEC 24745:2011, Information technology – Security techniques – Biometric information protection.

Biometrics refers to the automated identification of individuals based on their behavioural and physiological characteristics. It includes recognition technologies based on face, iris or palms image, voice patterns and the like e.g. fingerprint scans used to access a computer, or iris scans to cross border control.

Mr. Myung Geun Chun, Project Editor of ISO/IEC 24745 explains “As the Internet is increasingly used to access services with highly sensitive information, such as eBanking and remote healthcare, the reliability and strength of authentication mechanisms is critical. Biometrics is regarded as a powerful solution because of its unique link to an individual that is nearly or absolutely impossible to fake.

U.S. Involvement in JTC 1

The U.S. plays a leading role in the work of ISO/IEC JTC 1, with the American National Standards Institute (ANSI) serving as secretariat, and Karen Higginbottom acting as chairperson. ANSI member and accredited standards developer the InterNational Committee for Information Technology Standards (INCITS) administers the U.S. Technical Advisory Group (TAG) to JTC 1.

“And the technology has come of age. The cost of biometric techniques has been decreasing, while their reliability and popularity have been growing. But biometric identification raises unique privacy concerns.

“While the unchanging and distinct association with an individual on the one hand, provides strong assurance of authentication, this binding which links biometrics with personally identifiable information on the other hand, carries some risks, including the unlawful processing and use of data. ISO/IEC 24745 is an invaluable tool for addressing those risks.”

With biometrics, if the authentication information is compromised, usual solutions such as issuing a new password or token are not available because biometric characteristics are difficult or impossible to change. Moreover, as more and more personal identifiable information is linked with biometric references, and this data is shared across international borders, it is crucial to safeguard the security of a biometric system and the privacy of data subjects with solid countermeasures as outlined in ISO/IEC 24745.

The standard specifies:

Analysis of threats and countermeasures inherent in a biometric and biometric system application models

Security requirements for binding between a biometric reference and an identity reference

Biometric system application models with different scenarios for the storage and comparison of biometric references

Guidance on the protection of an individual’s privacy during the processing of biometric information.